16600 matches found
CVE-2023-37918
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HT...
Add Unique Asset Context with Custom Attributes in CSAM
There is no such thing as “too much context” when it comes to asset management. Continuous discovery and comprehensive, normalized asset data create the foundation for streamlined risk detection and response. The more reliable asset data a security team has, the better it can operationalize an...
CVE-2023-37276
A flaw was found in aio-libs aiohttp, where it is vulnerable to HTTP request smuggling, caused by a flaw in the aiohttp.web.Application. By sending a specially crafted HTTPS request, an attacker can poison the web cache, bypass web application firewall protection, and conduct Cross-site scripting...
HTTP Request Smuggling
aiohttp is vulnerable to HTTP Request Smuggling. The vulnerability occurs due to the use of vulnerable llhttp component. When a specially constructed HTTP request is submitted, it leads to HTTP request smuggling because the server interprets one of the HTTP header values incorrectly. Only aiohttp...
OS Command Injection
github.com/1panel-dev/1panel is vulnerable to OS Command Injection. The vulnerability exists in the 1Panel firewall functionality which allows an attacker to inject and execute arbitrary commands using a specially-crafted authenticated HTTP request...
inDrive: Bypassing Garbage Collection with Uppercase Endpoint
A vulnerability was discovered in the garbage collection process, allowing the bypass of the "/metrics" endpoint by using uppercase letters. This could potentially lead to unauthorized access to sensitive information or resources and possible data manipulation. Other endpoints with similar patter...
Fedora 38 : nodejs16 (2023-608a1417d3)
The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-608a1417d3 advisory. 2023-06-20, Version 16.20.1 'Gallium' LTS, @RafaelGSS This is a security release. Notable Changes The following CVEs are fixed in this release:...
Fedora 37 : nodejs16 (2023-61e40652be)
The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-61e40652be advisory. 2023-06-20, Version 16.20.1 'Gallium' LTS, @RafaelGSS This is a security release. Notable Changes The following CVEs are fixed in this release:...
aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
Impactaiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.This vulnerability only affects users of aiohttp as an HT...
aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
Impact aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an...
GHSA-45C4-8WX5-QW6W aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
Impact aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an...
PYSEC-2023-120 aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
Impact aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an...
phpFM 1.7.9 Authentication Bypass / Shell Upload
Exploit Title: phpfm v1.7.9 - Authentication type juggling Date: 2023-07-10 Exploit Author: thoughtfault Vendor Homepage: https://www.dulldusk.com/phpfm/ Software Link: https://github.com/dulldusk/phpfm/ Version: 1.6.1-1.7.9 Tested on: Ubuntu 22.04 CVE : N/A """ An authentication bypass exists in...
Amazon Linux 2023 : nodejs, nodejs-devel, nodejs-full-i18n (ALAS2023-2023-237)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-237 advisory. The use of proto in process.mainModule.proto.require can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the...
Zimbra Collaboration Server 9.0.0 < 9.0.0 Patch 33 Multiple Vulnerabilities
According to its self-reported version number, Zimbra Collaboration Server is affected by multiple vulnerabilities including: - Vulnerability in the sfdcpreauth.jsp component. A remote, unauthenticated attacker can exploit this vulnerability to execute arbitrary code. CVE-2023-29382 - HTTP reques...
Zimbra Collaboration Server 8.8.x < 8.8.15 Patch 40 Multiple Vulnerabilities
According to its self-reported version number, Zimbra Collaboration Server is affected by multiple vulnerabilities including: - Vulnerability in the sfdcpreauth.jsp component. A remote, unauthenticated attacker can exploit this vulnerability to execute arbitrary code. CVE-2023-29382 - HTTP reques...
CVE-2023-37276
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only...
DEBIAN-CVE-2023-37276
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only...
Design/Logic Flaw
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only...
UBUNTU-CVE-2023-37276
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only...